diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index c2842773..e2399ba1 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -201,9 +201,11 @@ centos9s/openssl_3.5.x/x86_64/fips: variables: OPENSSL_ENABLE_SHA1_SIGNATURES: 1 script: + # torture_gssapi_key_exchange_* tests are excluded because gssapi-keyex is disabled + # by OpenSSH in FIPS mode in RHEL 9 - cmake $CMAKE_OPTIONS $CMAKE_ADDITIONAL_OPTIONS .. && make -j$(nproc) && - OPENSSL_FORCE_FIPS_MODE=1 ctest --output-on-failure + OPENSSL_FORCE_FIPS_MODE=1 ctest --output-on-failure -E "^torture_gssapi_key_exchange.*" centos8s/openssl_1.1.1/x86_64: image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS8_BUILD @@ -219,9 +221,11 @@ centos8s/openssl_1.1.1/x86_64/fips: extends: .fips image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS8_BUILD script: + # torture_gssapi_key_exchange_* and torture_gssapi_server_key_exchange_* tests are excluded + # because gssapi-keyex is not allowed in FIPS mode in RHEL 8 - cmake $CMAKE_OPTIONS $CMAKE_ADDITIONAL_OPTIONS .. && make -j$(nproc) && - OPENSSL_FORCE_FIPS_MODE=1 ctest --output-on-failure + OPENSSL_FORCE_FIPS_MODE=1 ctest --output-on-failure -E "^torture_gssapi.*key_exchange.*" ############################################################################### # Fedora builds # diff --git a/src/gssapi.c b/src/gssapi.c index 94ecee22..7c5914d6 100644 --- a/src/gssapi.c +++ b/src/gssapi.c @@ -672,7 +672,6 @@ fail: */ char *ssh_gssapi_oid_hash(ssh_string oid) { - MD5CTX ctx = NULL; unsigned char *h = NULL; int rc; char *base64 = NULL; @@ -682,19 +681,7 @@ char *ssh_gssapi_oid_hash(ssh_string oid) return NULL; } - ctx = md5_init(); - if (ctx == NULL) { - SAFE_FREE(h); - return NULL; - } - - rc = md5_update(ctx, ssh_string_data(oid), ssh_string_len(oid)); - if (rc != SSH_OK) { - SAFE_FREE(h); - md5_ctx_free(ctx); - return NULL; - } - rc = md5_final(h, ctx); + rc = md5(ssh_string_data(oid), ssh_string_len(oid), h); if (rc != SSH_OK) { SAFE_FREE(h); return NULL; diff --git a/src/kex.c b/src/kex.c index 63694286..4c279737 100644 --- a/src/kex.c +++ b/src/kex.c @@ -811,7 +811,7 @@ int ssh_set_client_kex(ssh_session session) return SSH_ERROR; } #ifdef WITH_GSSAPI - if (session->opts.gssapi_key_exchange && !ssh_fips_mode()) { + if (session->opts.gssapi_key_exchange) { char *gssapi_algs = NULL; ok = ssh_gssapi_init(session); @@ -831,9 +831,15 @@ int ssh_set_client_kex(ssh_session session) } /* Prefix the default algorithms with gsskex algs */ - session->opts.wanted_methods[SSH_KEX] = - ssh_prefix_without_duplicates(default_methods[SSH_KEX], - gssapi_algs); + if (ssh_fips_mode()) { + session->opts.wanted_methods[SSH_KEX] = + ssh_prefix_without_duplicates(fips_methods[SSH_KEX], + gssapi_algs); + } else { + session->opts.wanted_methods[SSH_KEX] = + ssh_prefix_without_duplicates(default_methods[SSH_KEX], + gssapi_algs); + } gssapi_null_alg = true; diff --git a/src/server.c b/src/server.c index 8ea082d5..32cee6ed 100644 --- a/src/server.c +++ b/src/server.c @@ -172,7 +172,7 @@ int server_set_kex(ssh_session session) } } #ifdef WITH_GSSAPI - if (session->opts.gssapi_key_exchange && !ssh_fips_mode()) { + if (session->opts.gssapi_key_exchange) { ok = ssh_gssapi_init(session); if (ok != SSH_OK) { ssh_set_error_oom(session); diff --git a/tests/client/torture_gssapi_key_exchange.c b/tests/client/torture_gssapi_key_exchange.c index cddaf09a..a1fcaa1d 100644 --- a/tests/client/torture_gssapi_key_exchange.c +++ b/tests/client/torture_gssapi_key_exchange.c @@ -78,11 +78,6 @@ static void torture_gssapi_key_exchange(void **state) int rc; bool t = true; - /* Skip test if in FIPS mode */ - if (ssh_fips_mode()) { - skip(); - } - /* Valid */ torture_setup_kdc_server( state, @@ -108,11 +103,6 @@ static void torture_gssapi_key_exchange_no_tgt(void **state) int rc; bool t = true; - /* Skip test if in FIPS mode */ - if (ssh_fips_mode()) { - skip(); - } - /* Don't run kinit */ torture_setup_kdc_server( state, @@ -144,11 +134,6 @@ static void torture_gssapi_key_exchange_alg(void **state, int rc; bool t = true; - /* Skip test if in FIPS mode */ - if (ssh_fips_mode()) { - skip(); - } - /* Valid */ torture_setup_kdc_server( state, @@ -213,11 +198,6 @@ static void torture_gssapi_key_exchange_auth(void **state) int rc; bool t = true; - /* Skip test if in FIPS mode */ - if (ssh_fips_mode()) { - skip(); - } - /* Valid */ torture_setup_kdc_server( state, @@ -247,11 +227,6 @@ static void torture_gssapi_key_exchange_no_auth(void **state) int rc; bool f = false; - /* Skip test if in FIPS mode */ - if (ssh_fips_mode()) { - skip(); - } - /* Valid */ torture_setup_kdc_server( state, diff --git a/tests/client/torture_gssapi_key_exchange_null.c b/tests/client/torture_gssapi_key_exchange_null.c index fb5da658..f461adfa 100644 --- a/tests/client/torture_gssapi_key_exchange_null.c +++ b/tests/client/torture_gssapi_key_exchange_null.c @@ -18,23 +18,21 @@ static int sshd_setup(void **state) s = *state; s->disable_hostkeys = true; - if (!ssh_fips_mode()) { - /* Temporary kerberos server */ - torture_setup_kdc_server( - state, - "kadmin.local addprinc -randkey host/server.libssh.site \n" - "kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site \n" - "kadmin.local addprinc -pw bar alice \n" - "kadmin.local list_principals", + torture_setup_kdc_server( + state, + "kadmin.local addprinc -randkey host/server.libssh.site \n" + "kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site \n" + "kadmin.local addprinc -pw bar alice \n" + "kadmin.local list_principals", - "echo bar | kinit alice"); + "echo bar | kinit alice"); - torture_update_sshd_config(state, - "GSSAPIAuthentication yes\n" - "GSSAPIKeyExchange yes\n"); + torture_update_sshd_config(state, + "GSSAPIAuthentication yes\n" + "GSSAPIKeyExchange yes\n"); + + torture_teardown_kdc_server(state); - torture_teardown_kdc_server(state); - } return 0; } @@ -95,11 +93,6 @@ static void torture_gssapi_key_exchange_null(void **state) int rc; bool t = true; - /* Skip test if in FIPS mode */ - if (ssh_fips_mode()) { - skip(); - } - /* Valid */ torture_setup_kdc_server( state, diff --git a/tests/server/torture_gssapi_server_key_exchange.c b/tests/server/torture_gssapi_server_key_exchange.c index a7d72eea..476786f3 100644 --- a/tests/server/torture_gssapi_server_key_exchange.c +++ b/tests/server/torture_gssapi_server_key_exchange.c @@ -281,11 +281,6 @@ static void torture_gssapi_server_key_exchange(void **state) int rc; bool t = true; - /* Skip test if in FIPS mode */ - if (ssh_fips_mode()) { - skip(); - } - assert_non_null(tss); s = tss->state; @@ -321,10 +316,6 @@ static void torture_gssapi_server_key_exchange_no_tgt(void **state) int rc; bool t = true; - /* Skip test if in FIPS mode */ - if (ssh_fips_mode()) { - skip(); - } assert_non_null(tss); @@ -366,11 +357,6 @@ static void torture_gssapi_server_key_exchange_alg(void **state, int rc; bool t = true; - /* Skip test if in FIPS mode */ - if (ssh_fips_mode()) { - skip(); - } - assert_non_null(tss); s = tss->state; @@ -444,11 +430,6 @@ static void torture_gssapi_server_key_exchange_auth(void **state) int rc; bool t = true; - /* Skip test if in FIPS mode */ - if (ssh_fips_mode()) { - skip(); - } - assert_non_null(tss); s = tss->state; @@ -487,11 +468,6 @@ static void torture_gssapi_server_key_exchange_no_auth(void **state) int rc; bool f = false; - /* Skip test if in FIPS mode */ - if (ssh_fips_mode()) { - skip(); - } - assert_non_null(tss); s = tss->state; diff --git a/tests/server/torture_gssapi_server_key_exchange_fallback.c b/tests/server/torture_gssapi_server_key_exchange_fallback.c index 8f113b6f..99207e95 100644 --- a/tests/server/torture_gssapi_server_key_exchange_fallback.c +++ b/tests/server/torture_gssapi_server_key_exchange_fallback.c @@ -278,11 +278,6 @@ static void torture_gssapi_server_key_exchange_fallback(void **state) int rc; bool t = true; - /* Skip test if in FIPS mode */ - if (ssh_fips_mode()) { - skip(); - } - assert_non_null(tss); s = tss->state; diff --git a/tests/server/torture_gssapi_server_key_exchange_null.c b/tests/server/torture_gssapi_server_key_exchange_null.c index 6de75a6b..9dc0c4e0 100644 --- a/tests/server/torture_gssapi_server_key_exchange_null.c +++ b/tests/server/torture_gssapi_server_key_exchange_null.c @@ -250,11 +250,6 @@ static void torture_gssapi_server_key_exchange_null(void **state) int rc; bool t = true; - /* Skip test if in FIPS mode */ - if (ssh_fips_mode()) { - skip(); - } - assert_non_null(tss); s = tss->state; @@ -293,10 +288,6 @@ static void torture_gssapi_server_key_exchange_no_tgt(void **state) int rc; bool t = true; - /* Skip test if in FIPS mode */ - if (ssh_fips_mode()) { - skip(); - } assert_non_null(tss); diff --git a/tests/torture.c b/tests/torture.c index 436a4aaf..873f85ec 100644 --- a/tests/torture.c +++ b/tests/torture.c @@ -999,10 +999,8 @@ torture_setup_create_sshd_config(void **state, bool pam, bool second_sshd) fips_config_string, second_sshd ? TORTURE_SSHD_SRV1_IPV4 : TORTURE_SSHD_SRV_IPV4, second_sshd ? TORTURE_SSHD_SRV1_IPV6 : TORTURE_SSHD_SRV_IPV6, - "HostKey", - rsa_hostkey, - "HostKey", - ecdsa_hostkey, + s->disable_hostkeys ? "" : "HostKey", s->disable_hostkeys ? "" : rsa_hostkey, + s->disable_hostkeys ? "" : "HostKey", s->disable_hostkeys ? "" : ecdsa_hostkey, trusted_ca_pubkey, sftp_server, usepam,